def check_ticket(self, ticket): """ Check if the ticket was signed by a trusted cert """ if self.trusted_cert_list: client_ticket = SfaTicket(string=ticket) client_ticket.verify_chain(self.trusted_cert_list) else: raise MissingTrustedRoots(self.config.get_trustedroots_dir()) return True
def check_ticket(self, ticket): """ Check if the tickt was signed by a trusted cert """ if self.trusted_cert_list: client_ticket = SfaTicket(string=ticket) client_ticket.verify_chain(self.trusted_cert_list) else: raise MissingTrustedRoots(self.config.get_trustedroots_dir()) return True
def redeem_ticket(api, ticket_string): ticket = SfaTicket(string=ticket_string) ticket.decode() hrn = ticket.attributes['slivers'][0]['hrn'] slicename = PlXrn (hrn).pl_slicename() if not api.sliver_exists(slicename): raise SliverDoesNotExist(slicename) # convert ticket to format nm is used to nm_ticket = xmlrpclib.dumps((ticket.attributes,), methodresponse=True) api.driver.nodemanager.AdminTicket(nm_ticket)
def testGetTicket(self): slice_credential = self.client.GetCredential(self.slice['hrn'], 'slice') rspec = self.aggregate.get_resources(self.credential) ticket = self.aggregate.GetTicket(slice_credential, self.slice['hrn'], rspec) # will raise an exception if the ticket inst valid SfaTicket(string=ticket)
def get_auth_ticket(self, xrn): hrn, type = urn_to_hrn(xrn) auth_info = self.get_auth_info(hrn) gid = auth_info.get_gid_object() ticket = SfaTicket(subject=hrn) ticket.set_gid_caller(gid) ticket.set_gid_object(gid) ticket.set_delegate(True) ticket.set_pubkey(auth_info.get_gid_object().get_pubkey()) parent_hrn = get_authority(hrn) if not parent_hrn: # if there is no parent hrn, then it must be self-signed. this # is where we terminate the recursion ticket.set_issuer(auth_info.get_pkey_object(), hrn) else: # we need the parent's private key in order to sign this GID parent_auth_info = self.get_auth_info(parent_hrn) ticket.set_issuer(parent_auth_info.get_pkey_object(), parent_auth_info.hrn) ticket.set_parent(self.get_auth_cred(parent_hrn)) ticket.encode() ticket.sign() return ticket
def GetTicket(self, api, xrn, creds, rspec, users, options): slice_hrn, type = urn_to_hrn(xrn) # get the netspecs contained within the clients rspec aggregate_rspecs = {} tree= etree.parse(StringIO(rspec)) elements = tree.findall('./network') for element in elements: aggregate_hrn = element.values()[0] aggregate_rspecs[aggregate_hrn] = rspec # get the callers hrn valid_cred = api.auth.checkCredentials(creds, 'getticket', slice_hrn)[0] caller_hrn = Credential(string=valid_cred).get_gid_caller().get_hrn() # attempt to use delegated credential first cred = api.getDelegatedCredential(creds) if not cred: cred = api.getCredential() threads = ThreadManager() for (aggregate, aggregate_rspec) in aggregate_rspecs.iteritems(): # xxx sounds like using call_id here would be safer # prevent infinite loop. Dont send request back to caller # unless the caller is the aggregate's SM if caller_hrn == aggregate and aggregate != api.hrn: continue interface = api.aggregates[aggregate] server = api.server_proxy(interface, cred) threads.run(server.GetTicket, xrn, [cred], aggregate_rspec, users, options) results = threads.get_results() # gather information from each ticket rspec = None initscripts = [] slivers = [] object_gid = None for result in results: agg_ticket = SfaTicket(string=result) attrs = agg_ticket.get_attributes() if not object_gid: object_gid = agg_ticket.get_gid_object() if not rspec: rspec = RSpec(agg_ticket.get_rspec()) else: rspec.version.merge(agg_ticket.get_rspec()) initscripts.extend(attrs.get('initscripts', [])) slivers.extend(attrs.get('slivers', [])) # merge info attributes = {'initscripts': initscripts, 'slivers': slivers} # create a new ticket ticket = SfaTicket(subject = slice_hrn) ticket.set_gid_caller(api.auth.client_gid) ticket.set_issuer(key=api.key, subject=api.hrn) ticket.set_gid_object(object_gid) ticket.set_pubkey(object_gid.get_pubkey()) #new_ticket.set_parent(api.auth.hierarchy.get_auth_ticket(auth_hrn)) ticket.set_attributes(attributes) ticket.set_rspec(rspec.toxml()) ticket.encode() ticket.sign() return ticket.save_to_string(save_parents=True)